1. Field of the Invention
The present invention relates to security, specifically to systems, methods, devices, and articles of manufacture for detecting and managing security threats.
2. Description of the Related Art
The current state of the art for threat management is a disjoint collection of tools for intrusion detection (both host based and network based), intrusion prevention and forensics. For example, the SNORT tool is a set of PERL scripts that process network traffic to detect intrusions into the network. However, SNORT does nothing to protect a computer from the effects of the intrusion, nor collect forensics quality information. A variety of host based intrusion detection products can detect local intrusions into a computer but cannot detect all hacker-based attacks or assist in the detection of large scale attacks to multiple computers or distributed attacks with different computers playing different roles.
Few of these products provide any intrusion prevention facilities and none of them provide forensics quality information or forensic evidence preservation. Forensics tools such as Encase provide excellent discovery of detailed information from disk drives with the ability to reconstruct files and file systems and determine what happened to the disk. However, these forensics tools cannot capture volatile information in real-time as threats are emerging nor take any preventative or corrective actions.
Furthermore, forensics tools are highly disruptive in their use requiring complete disk images to be created during which the machine is unavailable and following which the machine is typically wiped clean and re-installed. Current anti-virus and anti-spyware products are adept at recognizing wide ranges of known viruses and removing them but cannot automatically and readily adapt to new threats from new viruses. These products do not collect any forensics information and are not involved with identification of the effect the virus or spyware has on the computing system.
Some improvements have been made in the field. Examples of references related to the present invention are described below, and the supported teachings of each reference are incorporated by reference herein:
U.S. Pat. No. 7,096,498, issued to Judge, discloses systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.
The inventions heretofore known suffer from a number of disadvantages which include: failure to provide a comprehensive security detection and/or management service for multiple devices that may be remote; failure to provide real-time forensic data; difficulty in use; slow response; inadequate response; inadequate detection; and/or inadequate threat evaluation.
What is needed is a system, method, device, and/or an article of manufacture that solves one or more of the problems described herein and/or one or more problems that may come to the attention of one skilled in the art upon becoming familiar with this specification.